Root cause investigation, action plan, implementation, and effectiveness verification — core 820.100 CAPA steps remain.
CA and PA must be separate documented procedures; actions must be proportionate to risk; adverse-effect check on safety and regulatory compliance required.
Standalone preventive action procedure and proportionality rationale — common 483 area for legacy combined CAPA SOPs.
Maps to
QMSR / ISO 13485: §820.100 Corrective and preventive action.
ISO 13485: §8.5.2 Corrective action, §8.5.3 Preventive action
Requirement text
The organization shall establish documented procedures for corrective action to eliminate the cause of nonconformities, and preventive action to eliminate causes of potential nonconformities. FDA-Plus: CAPA procedures must include analysis of quality data sources (complaints, audits, NCRs, service records) to identify existing and potential causes of nonconforming product. Effectiveness of CAPA must be verified and documented.
Why this clause exists
CAPA is the most cited area of FDA 483 observations — year after year, across device categories and company sizes — because it is the mechanism the quality system uses to learn from its own failures, and its weakness is both easy to detect and systemically consequential. The core regulatory rationale is straightforward: a nonconformity that recurs after a corrective action was supposedly taken is evidence that the root cause was not correctly identified or the action was insufficient. FDA warning letters frequently cite inadequate CAPA as the thread connecting separate product failures: investigators demonstrate that complaint data, NCR trends, and audit findings all pointed to the same underlying systemic weakness, yet no corrective action addressed the root cause because each signal was handled in isolation. ISO 13485 clauses 8.5.2 and 8.5.3, incorporated into the QMSR at 820.10, require that corrective and preventive actions be separate documented procedures — distinct workflows, not a merged form — and that each be proportionate to the effects of the nonconformity. Proportionality is a risk-based principle: a safety-critical failure mode warrants deep root cause investigation and systemic change; a documentation clerical error does not. The verification of effectiveness requirement exists because organizational incentives tend toward closure: once a corrective action is implemented, the pressure is to close the CAPA and move on, rather than wait to confirm that the specific failure has not recurred.
What changed
§820.100 — Part 820 (legacy)
"Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action. The procedures shall include requirements for: (1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems; (2) Investigating the cause of nonconformities relating to product, processes, and the quality system; (3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems; (4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device; (5) Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems; (6) Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems; and (7) Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review. All activities required under this section, and their results, shall be documented."
§8.5.2 — ISO 13485:2016 (current)
"The organization shall take action to eliminate the cause of nonconformities in order to prevent recurrence. Any necessary corrective actions shall be taken without undue delay. Corrective actions shall be proportionate to the effects of the nonconformities encountered. The organization shall document a procedure to define requirements for: a) reviewing nonconformities (including complaints); b) determining the causes of nonconformities; c) evaluating the need for action to ensure that nonconformities do not recur; d) planning and documenting action needed and implementing such action, including, as appropriate, updating documentation; e) verifying that the corrective action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device; f) reviewing the effectiveness of corrective action taken. Records of the results of any investigation and of action taken shall be maintained (see 4.2.5)."
Δ Corrective actions must be proportionate to nonconformity effects and taken without undue delay; effectiveness review is now a required step, and the adverse-effect check explicitly includes regulatory requirements and safety/performance.
Common gaps (what we see in audits)
- No Separate Preventive Action Procedure — Many Part 820-era QMS libraries treat corrective and preventive action as a single combined procedure. ISO 13485 requires distinct documented procedures for corrective action (8.5.2) and preventive action (8.5.3), each with their own inputs, investigation methods, and records. Organizations that cannot demonstrate a standalone preventive action process will face audit findings.
- Inadequate Effectiveness Verification — ISO 13485 requires verification that corrective/preventive actions do not adversely affect device safety, performance, or regulatory compliance. Many organizations check only whether the specific nonconformity recurred, without verifying broader impact. This is also one of the most frequent FDA 483 observations for CAPA systems.
- Failure to check 'adverse effects' — The CAPA procedure doesn't require an evaluation of whether the fix itself introduced new hazards or regulatory non-compliance. ISO 13485 §8.5.2(e) requires this check.
- Undue delay in closure — CAPAs remain open for 12+ months with no documented rationale for the delay. ISO 13485 §8.5.2 requires action 'without undue delay.'
- Missing Risk-Based CAPA Prioritization — ISO 13485 requires that actions be "appropriate to the effects" of the nonconformities, which implies a risk-based prioritization scheme. Many legacy CAPA procedures treat all CAPAs with the same level of investigation rigor regardless of severity, leading to either over-investigation of minor issues or under-investigation of serious ones.